Search CVE reports


Toggle filters

1 – 10 of 60 results


CVE-2026-8384

Medium priority
Needs evaluation

In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve...

2 affected packages

jetty12, jetty9

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty12 Needs evaluation Not in release Not in release
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-6790

Medium priority
Needs evaluation

In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present). This was not enforced in earlier HTTP RFC (for...

2 affected packages

jetty12, jetty9

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty12 Needs evaluation Not in release Not in release
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-10051

Medium priority
Needs evaluation

In Eclipse Jetty, a first HTTP/1.1 request with trailers causes the server to retain the trailers in subsequent requests performed over the same connection. Subsequent request that do not have trailers report the trailers of...

2 affected packages

jetty12, jetty9

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty12 Needs evaluation Not in release Not in release
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2024-7708

Medium priority
Needs evaluation

For requests that have a body, but reading the body may end up in reading 0 bytes, there is a buffer leak. This is particularly the case for 100-Continue, but any request where the network is slow can leak.

2 affected packages

jetty12, jetty9

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty12 Needs evaluation Not in release Not in release
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-2332

Medium priority
Needs evaluation

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * ...

2 affected packages

jetty9, jetty12

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
jetty12 Needs evaluation Not in release Not in release
Show less packages

CVE-2026-5795

Medium priority
Needs evaluation

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the...

2 affected packages

jetty9, jetty

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
jetty Not in release Not in release Not in release
Show less packages

CVE-2026-1605

Medium priority
Needs evaluation

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is...

2 affected packages

jetty9, jetty12

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
jetty12 Needs evaluation Not in release Not in release
Show less packages

CVE-2025-11143

Medium priority
Needs evaluation

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example...

2 affected packages

jetty9, jetty12

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
jetty12 Needs evaluation Not in release Not in release
Show less packages

CVE-2025-5115

Medium priority
Needs evaluation

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent...

2 affected packages

jetty9, jetty

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
jetty Not in release Not in release Not in release
Show less packages

CVE-2025-1948

Medium priority
Needs evaluation

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this...

3 affected packages

jetty9, jetty, jetty12

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
jetty9 Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
jetty Not in release Not in release Not in release
jetty12 Not affected Not in release Not in release
Show less packages